Spyware, Viruses, & Security forum

Alert

NEWS - May 30, 2013

by Carol~ Moderator / May 30, 2013 3:46 AM PDT
Drupal.org sees account info compromised, asks users to reset passwords

The Drupal Association reported today that an individual or a group of them gained "unauthorized access" to account information stored on its Drupal.org and groups.drupal.org sites. The organization blamed malicious code uploaded through third-party software and says that while user information was exposed, no credit card information was stolen. Additionally, those sites running Drupal generally have not been affected.

The association is asking all users to reset their passwords out of caution.

Holly Ross, the Drupal Association's Executive Director, said that during the course of a security audit, the group noticed malicious files on its servers and shut down its association.drupal.org website to "mitigate any possible security issue related to the files." It was during the course of its forensic audit that Drupal discovered user information had been disclosed.

Continued : http://thenextweb.com/insider/2013/05/30/drupal-org-hacked-with-account-info-exposed-third-party-software-to-blame-passwords-must-be-reset/

Related:
Drupal.org resets login credentials after hack exposes password data
Drupal resets account passwords after detecting unauthorized access
Drupal.org compromised
Drupal.org Gets Hacked, Resets All User Passwords
Discussion is locked
You are posting a reply to: NEWS - May 30, 2013
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - May 30, 2013
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Google cuts grace period for vendors of vulnerable software
by Carol~ Moderator / May 30, 2013 4:05 AM PDT
In reply to: NEWS - May 30, 2013

Google is shortening the amount of time it gives to makers of vulnerable software and web services if there is imminent danger. The Google security team say that if they encounter a zero-day issue that is already being actively used for cyber attacks, it will grant the affected manufacturer just seven days grace to fix the vulnerabilities or publish an advisory with mitigation strategies for users.

After seven days, Google wants to publish details of the vulnerability in such a way that users of the vulnerable software can protect themselves from attacks. Previously, the company had given vendors sixty days before it went public with details of vulnerabilities. Google says, though, that it has found zero-day vulnerabilities being used to target a limited subset of people and this targeting makes the attack more serious than a widespread attack and more important to resolve quickly, especially where political activists are being compromised and the attacks can have "real safety implications" in some parts of the world.

Continued : http://www.h-online.com/security/news/item/Google-cuts-grace-period-for-vendors-of-vulnerable-software-1873878.html

Related:
Google Advocates 7-Day Deadline to Publicize Critical Vulnerabilities
Google: Security flaws not fixed in a week should be made public
Google defines disclosure timeline for actively exploited bugs

Collapse -
Caution! Fraud!
by Carol~ Moderator / May 30, 2013 4:06 AM PDT
In reply to: NEWS - May 30, 2013

From the Kaspersky Lab Weblog:

Lately, our traps have been catching emails like these: [Screenshot]

In them someone with a very English name is asking to book a hotel or air tickets for their family. A naïve recipient would think "Ah, wrong address".

A more experienced user would no doubt smell a rat. First of all, the email does not contain a personal appeal. Secondly, there is no hotel name or even the name of the country where the supposed visitor intends to stay. Instead, the message says "your country" or "your area", which is typically ambiguous language used by spammers spreading mass mailings. Moreover, the language in these emails seems a bit unnatural which is unusual given that native speakers are supposedly writing them. The text contains grammatical and punctuation errors.

So, the email is suspicious, but what's the catch?

Continued : http://www.securelist.com/en/blog/8102/Caution_Fraud

Collapse -
PayPal vulnerability finally closed
by Carol~ Moderator / May 30, 2013 4:41 AM PDT
In reply to: NEWS - May 30, 2013

On Wednesday night, payment processor PayPal closed the security hole in its portal that had been publicly known for five days. The company had been aware of the vulnerability for about two weeks. The hole was a critical one: it allowed attackers to inject arbitrary JavaScript code into the PayPal site, potentially enabling them to harvest users' access credentials.

Why PayPal took so long to fix the hole is incomprehensible - the information required to exploit the hole has been circulating on the net since last week and there was an urgent need for immediate action. In similar cases, affected companies tend to respond within 24 hours.

Continued: http://www.h-online.com/security/news/item/PayPal-vulnerability-finally-closed-1873322.html

Related: PayPal to Fix XSS Flaw, But No Reward For Researcher

Collapse -
Sorry? Is a US report recommending ransomware to target ..
by Carol~ Moderator / May 30, 2013 4:41 AM PDT
In reply to: NEWS - May 30, 2013
... copyright thieves?

A major report (pdf) was released last week by the US IP Commission. It has spurred a glut of controversy in the press.

Initially, the media offered a sober review of the rather lengthy findings and recommendations in the report.

But soon afterwards, journalists and bloggers started observing that the report includes highly aggressive and potentially controversial measures, such as recommending the use of ransomware to attack suspected copyright abusers, as well as retaliatory hacking attacks to retrieve stolen data.

Sorry? This sounds crazy. Can this report seriously be recommending that businesses and governments use malware and hacking to fight back against corporate snooping and copyright dodgers?

Continued: http://nakedsecurity.sophos.com/2013/05/30/copyright-malware/
Collapse -
Underweb Payments, Post-Liberty Reserve
by Carol~ Moderator / May 30, 2013 8:24 AM PDT
In reply to: NEWS - May 30, 2013

Following the U.S. government's seizure this week of virtual currency Liberty Reserve, denizens of the cybercrime underground collectively have been progressing through the classic stages of grief, from denial to anger and bargaining, and now grudging acceptance that any funds they had stashed in the e-currency system are likely gone forever. Over the past few days, the top discussion on many cybercrime forums has been which virtual currency will be the safest bet going forward?

As I mentioned in an appearance today on NPR's show On Point, the predictable refrain from many in the underground community has been that the demise of Costa Rica-based Liberty Reserve — and of eGold, eBullion, StormPay and a host of other virtual currencies before it — is the death knell of centrally-managed e-currencies. Just as the entertainment industry's crackdown on music file-sharing network Napster in the late 1990s spawned a plethora of decentralized peer-to-peer (P2P) file-sharing networks, the argument goes, so too does the U.S. government's action against centrally-managed digital currencies herald the ascendancy of P2P currencies — particularly Bitcoin.

This knee-jerk reaction is understandable, given that private crime forums are now replete with postings from members who reported losing tens of thousands of LR dollars this week. But as some of the more seasoned and reasoned members of these communities point out, there are several aspects of Bitcoin that make it especially unsuited for everyday criminal commerce. [Screenshot]

Continued : https://krebsonsecurity.com/2013/05/underweb-payments-post-liberty-reserve/

Related: U.S. Government Seizes LibertyReserve .com

Collapse -
Evernote Debuts Two-Factor Authentication, How to Get It
by Carol~ Moderator / May 30, 2013 8:40 AM PDT
In reply to: NEWS - May 30, 2013

Evernote users rejoice! Months after the great Evernote hack, the note-keeping company has rolled out two-factor authentication to keep you just a little safer. Here's how to set it up.

In March, Evernote acknowledged a major security breach that led the company to reset the passwords for all of its users. This morning, Evernote rolled out a two-factor authentication system for its Premium users. Once you activate two-factor authentication you'll have to enter a code from a text message, the Google authenticator app, or copied from a set of printed one-time-use passcodes each time you login to Evernote.

In a release, Evernote said that the feedback from the Premium users will be used to ensure the company is ready to roll out the new feature for all users "in the near future." If you're not a premium user, you can become one for $5 a month.

Continued: http://securitywatch.pcmag.com/security/312043-evernote-debuts-two-factor-authentication-here-s-how-to-get-it

Also: Evernote rolls out 2-factor authentication for paying customers

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!